Can anybody explain OAuth to an idiot?

Question

That idiot being me.

I've read a bit about it at http://oauth.net/ , it's "a simple way to publish and interact with protected data" apparently.

I think it's exactly what I need to provide a secure way of accessing data from an android/iphone app via a REST web service, but I can't work out exactly what it is.

So, put simply, what exactly does it do and are there any (really) simple examples of it in action I can follow, preferably implementing something in c# that can be accessed from a smartphone app?

Thanks.

Answer 1

From the link provided by Craig Stuntz:

Open ID gives you one login for multiple sites. Each time you need to log into Zooomr – a site using Open ID – you will be redirected to your Open ID site where you login, and then back to Zooomr. OAuth lets you authorise one website – the consumer – to access your data from another website – the provider. For instance, you want to authorise a printing provider – call it Moo – to grab your photos from a photo repository – call it Flickr. Moo will redirect you to Flickr which will ask you, for instance, “Moo wants to download your Flickr photos. Is that cool?”, and then back to Moo to print your photos.

I think that's a very good definition. As for links and examples I may recommend:

• DotNetOpenOAuth, which stackOverflow is in the use-cases.
• OAuth library for .NET released by Madgex with documentation and demos available.

Hope it helps.

Answer 2

checkout this link. Android – OAuth updates to Twitter Is this what you are looking for?

Answer 3

OAuth is an alternative way for applications to keep login data without having the real data stored at all.

When you log into some page, you usually have a username and a personal password, or any other sort of login credentials. Now, if you want an application to be able to do stuff over that login, you would need to give that application your original login data. Which means that you enter both your username and your password into the application. That isn't bad so far, but the thing is that if you want to stay logged in via that application, it needs to store your credentials. But to make it possible to send the correct login data to the actual page, it needs to store those in their original form (just with some encryption or something). So if someone knows how the data is stored in the application, they can extract your original login credentials.

This is a security issue and exactly where OAuth comes in. With OAuth, every application is identified by a consumer key and a consumer secret. Both are unique to the client and usually no user will ever get to see those (especially not the secret). Now when you want to allow your application to have access to the page, you start the OAuth authorization process. You simply login to the page and explicitely allow that special application (identified by the consumer key) to have access. If you do that, the application will receive another key pair, the access token and access secret. That key pair only works for your account and only works when used by the exact application (identified by the consumer key, and secured to be the original app by the consumer secret). Now all the application needs to store is that access key pair (together with the already stored consumer key pair) and it will have access to the page without ever seeing your original login data.

That way, nobody will be able to get your actual login details, and nobody else (or no other application) will be able to use the generated access credentials to access the page. And if you don't want the application to have still access, you can easily revoke the access key pair, so that the application won't be able to use it any longer.

So OAuth is just a way to protect your real login data. Apart from that it does not add any other level of security or something, it's just to secure your data.